Judge rules MD Anderson must pay $4.3M for HIPAA violations

An HHS administrative law judge has ruled that MD Anderson Cancer Center violated HIPAA and must pay $4,348,000 to the HHS Office for Civil Rights.

The violations date back to three separate breach reports in 2012 and 2013. The incidents involved the stealing of an unencrypted laptop from an MD Anderson employee’s residence, as well as the loss of two unencrypted USB thumb drives holding the unencrypted ePHI of more than 33,500 people.

David Holtzman’s commentary on the MD Anderson HIPAA violation was featured in MedCity News article. Click here to read more.